More DDoS Attacks on the Way?

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters is claiming it waged online attacks against three banks last week. And it's yet again warning of more distributed-denial-of-service attacks to come.

In a Jan. 22 posting on the open forum Pastebin, the group claimed it attacked PNC Financial Services Group, Fifth Third Bank and JPMorgan Chase & Co. last week.

"We have repeatedly stated that removal of the offensive video, Innocence of Muslims, from YouTube is the simplest solution to stop the cyber-attacks," the hacktivists state. "You want to continue playing the game, yes?"

In a Jan. 8 post, Izz ad-Din al-Qassam Cyber Fighters suggested its attacks would be waged for 56 additional weeks, based on a series of numerical sequences developed from tallied likes and dislikes affiliated with the YouTube video, which it claims is offensive to Muslims. But in its most recent post, the group says the attacks could continue even longer, based on updated totals affiliated with those likes and dislikes. And the group contends that each minute of a DDoS attack is costing U.S. banks $30,000.

In recent weeks, most of those institutions have either declined to comment about strikes against their sites or have suggested the increased traffic has minimally affected their customers.

Banks Improving Defenses

Keynote Systems Inc., an Internet and mobile cloud testing and monitoring firm that tracks online traffic, reported Jan. 17 that outages affecting U.S. banking websites have declined in recent weeks. Keynote tracks site availability statistics for all leading U.S. financial institutions and other companies across numerous industries.

Ben Rushlo, Keynote's director of performance management, told BankInfoSecurity that banks have done a better job of maintaining site availability. Since mid-December, the banks' average site availability rate has been 97.21 percent. By comparison, during the first campaign, the average availability rate was 94.86 percent.

But how long banks can maintain their defenses is uncertain.

Dan Holden, director of the security engineering research team for DDoS-prevention provider Arbor Networks, says the longevity of the attacks suggests Izz ad-Din al-Qassam is not acting alone. "Even if it is hacktivism, there is some serious backing of it, mainly because of the investment it takes to keep it going," he says.

That kind of financial backing is concerning, Holden adds, because it means the attacks could go on indefinitely. And the longer the attacks run, the bigger the botnet grows.

"They are taking over more servers and launching their attacks from more places," Holden says. "The longer the campaign goes on, and more cleanup effort that is occurring, the more the attackers are working to be out in front."

Some observers have speculated that Iran is backing the DDoS strikes against banks as payback for cyberespionage attacks, such as Stuxnet, Flame and Duqu, that have over the last three years affected Iranian computer systems. But others, like Holden, aren't so sure. "We've seen no proof that these attacks are backed by Iran," Holden says, and the highly publicized nature of these attacks is not typical of cyberwar activity. "Look at Stuxnet and Flame," he says. "Those were never supposed to be discovered."

For more information about the recent DDoS strikes against U.S. banks, see:

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;